Digital Forensics in Commercial Litigation: Leveraging Electronic Evidence and Addressing Spoliation Risks
Thursday, February 29, 2024
by: Lars Daniel, Envista Forensics

Section: Winter 2024

In an increasingly interconnected and technology-driven world, the significance of digital evidence has surged to the forefront of legal proceedings. Businesses' reliance on digital platforms and communication channels has created novel opportunities for fraudulent activities and employee misconduct by those so inclined. Technologies that improve efficiency and drive revenue also introduce risk into an organization, internal and external.  If data can get in, then data can also get out. 

Confidential customer lists, proprietary information, and executive strategy documents are being transferred out of an organization maliciously by employees, or former employees, using filesharing applications, cloud-based services, messaging applications, personal email accounts, or even simple photos of documents displayed on a computer, and captured with a cell phone camera. 

Fraud and employee wrongdoing are constant challenges for organizations, and the fragile and volatile nature of digital evidence further complicates these challenges.  Digital evidence is fragile because it is easily destroyed and volatile, meaning it can be easily changed.  Yes, digital forensics can recover extensive amounts of deleted data and evidence. Still, the mishandling of digital evidence, even if it has no material impact on the relevant evidence, opens the door to claims of spoliation by the plaintiff’s counsel, and it is becoming more and more common in my experience for plaintiff attorneys to make spoliation a central issue and argument in a case.

Many of these spoliation claims arise out of misunderstandings by a business on what needs to be preserved and how. I worked on a case where the preservation language used by the plaintiff’s counsel was decades old, mentioning palm pilots and phone records without ever mentioning a physical cell phone.  However, the plaintiff’s counsel argued that they asked for the actual phone because of the generic mention of “phone records” in the preservation language.  The business had preserved the phone records, but as many companies do, they wiped and redeployed the cell phone, believing their preservation obligations had been met. Even with an excellent argument by the defense counsel, armed with a detailed expert affidavit from myself, the plaintiff won their motion, resulting in a negative inference against the defense. 

Businesses and organizations can protect themselves from most spoliation claims involving digital evidence by implementing a handful of best practices, resulting in more defensible cases for defense counsel, especially in cases involving fraud or employee misconduct, where these spoliation claims muddy the waters and cast doubt upon what could otherwise be ironclad digital evidence.

Addressing Spoliation Risks

Digital data residing on electronic devices and in the cloud can provide invaluable evidence in cases of fraud and employee wrongdoing, but first things must come first. The first thing is the preservation of electronic evidence. Without this, claims of spoliation can nullify the opportunity to examine the data or cause so much confusion and conflict over the data that it becomes irrelevant or even detrimental to your case. 

For businesses across America, the handling of digital evidence presents significant challenges. Since many organizations rarely face litigation, the discovery process is often foreign to them. When it occurs, managers and employees may find themselves grappling with uncertainty, particularly concerning the preservation of electronic information. They must figure out what digital evidence to secure and the means to secure it, often without clear guidance. With the complexity of modern IT business infrastructure, they might not even know where the data they access every day is stored or what devices it is synced to, nor the consequences of their actions on the data. 

The arrival of a broadly worded order to preserve electronic evidence can exacerbate this uncertainty, leaving everyone in a quandary of how exactly to comply with the order, let alone doing so while maintaining their regular job functions. This environment of speculation and guesswork is fertile ground for mistakes.

In such a climate, unintentional spoliation, the inadvertent destruction or alteration of evidence, can easily transpire, with potentially disastrous consequences for the organization. Employees' good intentions and diligent efforts are not safeguards against losing critical evidence. A judge may interpret such a loss as spoliation.

The cautionary saying, "ignorance of the law does not excuse you from breaking it," rings true in this context. The risk of unintentional spoliation is not confined to smaller enterprises with less skilled labor forces. Large corporations, even those with well-staffed and trained IT departments, are equally susceptible to these threats. This underscores the need for clear, robust procedures for handling digital evidence, underscoring the complexity of the legal landscape and the potential ramifications for businesses of all sizes.
Preventing Spoliation: Proactive and Preemptive

The terms "proactive" and "preemptive" are often used interchangeably but have nuanced differences.  Both approaches involve taking advance actions to manage potential future challenges, yet they differ in intent, timing, and scope.
A proactive approach aims to prepare for various future possibilities, including opportunities and threats. The intent is to prepare for what might come, but not necessarily the prevention of a specific event.
Preemption is targeted and specific. It aims to prevent a particular event or problem from occurring. The actions taken directly respond to a known or perceived threat or opportunity.

The Proactive Posture

The proactive posture is an ongoing continuous strategy aimed at reducing the likelihood of spoliation through policy, education, and periodic reviews. It seeks to create a robust data environment that, by its very design, minimizes spoliation risks. The proactive approach aims for long-term risk mitigation by building a culture and infrastructure naturally resistant to spoliation risks. The most essential element in developing a proactive posture is communication and collaboration between legal counsel and their clients and digital forensic experts.

Collaboration within the legal team is paramount during the preemptive phase of managing spoliation risks related to digital evidence. This phase before full litigation hinges on seamless teamwork between defense attorneys, in-house counsel, and digital forensic experts. The significance of this collaboration can be distilled into several key advantages.

Firstly, it enables the early identification of potential spoliation risks. With their technical acumen, digital forensic experts play a crucial role in pinpointing areas where data preservation may pose challenges or where evidence could be at risk.By merging legal and technical expertise, the team develops protocols that ensure all pertinent digital evidence is preserved effectively, minimizing susceptibility to spoliation claims. Collaborative efforts yield comprehensive preservation strategies.

Clear communication channels are fostered through collaboration as well. Legal professionals convey the legal obligations surrounding evidence preservation, while experts clarify the technical intricacies, forging a common understanding crucial for well-coordinated efforts.With the legal bases covered, digital forensic experts round out the picture by offering essential advice on employing forensically sound methods for data collection, safeguarding evidence's integrity, and ensuring its admissibility in court.

Furthermore, the collaborative endeavor aids in assessing the level of spoliation risk within the case. By pooling their collective knowledge, the team can identify high-risk areas and prioritize preservation efforts, reducing exposure to potential spoliation claims and fortifying the defense's position. By working in tandem with clear expectations, the documentation of preservation efforts comprehensively is another outcome of this collaboration. Legal professionals and digital forensic experts together create clear records of all preservation activities. These records serve as crucial documentation in demonstrating the sincerity of preservation efforts if spoliation allegations arise.

While there is great benefit in attorneys and experts aligning their efforts to create a unified approach to spoliation prevention through a streamlined strategy, this preemptive work also assists in providing cost-efficiency through collaboration. By working together effectively with experts, the legal team can avoid redundant efforts and unnecessary costs, ensuring that preservation activities are directed towards the most pertinent data sources, optimizing resource allocation, and eliminating wasted time and effort.

Proactive decision-making is facilitated through this collaboration as well. The legal team, with insights from digital forensic experts, can make informed choices about when and how to issue preservation advisories or seek court orders, proactively mitigating potential spoliation risks.

Early engagement of digital forensic experts is pivotal. Collaboration ensures that these experts are involved at the very of planning for future litigation, allowing the legal team to benefit from their expertise before a critical situation arises, laying a solid foundation for the entire legal process.collaboration between the legal team and digital forensic experts during the preemptive phase is the cornerstone of effective spoliation risk mitigation. It brings together legal proficiency and technical know-how to create a robust, well-informed, and proactive approach to evidence preservation. This collaborative effort is indispensable for reducing spoliation risks and ensuring that the defense is well-prepared for any potential future litigation.
  1. Defined Protocols for Imminent Litigation
The organization should have a well-articulated action plan that is triggered the instant litigation is anticipated, or a legal hold notice is received. This typically involves pausing or disabling data purging mechanisms and auto-delete routines in relevant systems.
Consider a company that anticipates litigation concerning a defective product. As soon as this anticipation turns concrete, the company would trigger predefined protocols that suspend any auto-delete mechanisms on email threads or databases relevant to product design, testing, and customer complaints.
Protocols should be developed and understood jointly by the c-suite, internal counsel, outside counsel, the IT leaders inside the organization, and a digital forensics consultant.This ensures everyone knows what needs to be done in case of imminent litigation.The digital forensic consultant should be able to bridge the communication gap between technical and non-technical stakeholders, ensuring all the relevant data is identified for various scenarios and the collection methods for that data will hold up in court.Remember, IT departments contain very smart people, but they aim to keep an organization running.Digital forensics is about protecting and preserving data.Sometimes the methods utilized by IT and digital forensics experts can vary widely, especially on how data is handled.This is because they are very different disciplines, even though they share many foundational elements in common.
Breakdown: The Proactive Posture
  1. Data Assessment:
    1. Legal: Defense attorneys and their digital forensic experts proactively assess the client's digital data landscape to identify data locations and type.
    2. Digital Forensics: Experts play a pivotal role in this process by using their technical expertise to comprehensively locate and evaluate potential evidence sources, and how that data should be collected in case of litigation.
  1. Chain of Custody Protocols:
    1. Legal: The defense team establishes rigorous chain of custody procedures to maintain the integrity of digital evidence in case of litigation.
    2. Digital Forensics: Digital forensic experts guide the creation of these protocols to ensure that evidence remains unaltered and admissible in court.
  2. Immediate Preservation:
    1. Legal: Defense attorneys should have pre-vetted digital forensics consultants on speed dial, who can provide immediate steps to preserve relevant digital evidence.
    2. Digital Forensics: Experts ensure that preservation is conducted in a forensically sound manner, reducing the risk of unintentional spoliation during this crucial phase.
  3. Forensic Preservation Technology
    1. Legal: Defense attorneys and their experts pre-identify forensic preservation technologies for data collection to be used depending on the data type and location.
    2. Digital Forensics: Experts ensure that the selected technologies are suitable for preserving digital evidence effectively and securely.
  4. Continuous Monitoring:
    1. Legal: At regular intervals, defense attorneys and digital forensic experts maintain ongoing monitoring of company policies and practices to ensure that the way data is handled within an organization is appropriate.
    2. Digital Forensics: Experts provide oversight, helping to ensure that data remains intact, and any deviations from company policy and defensible practices are promptly addressed.
The Preemptive Posture

The preemptive posture is geared toward immediate action, focused on rapidly containing and addressing the potential for spoliation as a direct response to imminent litigation. It is specific, targeted, and time-sensitive. In essence, the preemptive approach deals with the "here and now," aiming for immediate compliance and risk containment.
  1. Immediate Preservation Actions

    The essence of the preemptive approach lies in immediate action. As the reality of litigation looms or the moment a preservation order lands on your desk, the first critical step is to make a forensic image or snapshot of all pertinent data. This action helps capture the data in its present state and verifies its authenticity for legal purposes.

Imagine a scenario where an employee is under suspicion for fraudulent activities. In this case, digital forensic experts would act swiftly to capture an image of the suspect’s workstation, email archives, and any network storage areas they may have accessed. This immediate action ensures that data is preserved exactly as it existed, a perfect snapshot in time with mathematical hash algorithms, or “Digital DNA,” fulfilling legal obligations for evidence preservation.

While it sounds self-serving coming from me given that I run a digital forensics practice, I suggest to all businesses that they have a digital forensics firm on contract to perform what I call “preemptive acquisitions.” For example, suppose you have an employee who suddenly leaves and could possess confidential or sensitive business data. In that case, I suggest immediately making a forensic copy of that person’s electronic devices and cloud data.This removes potential claims of spoliation and preserves the data for future examination if the situation ever does come to litigation.It represents a minuscule upfront cost versus the cost to battle spoliation claims or find out that a sales executive is somehow poaching your most valuable customers, but unfortunately, their data was never preserved, so you have no recourse.
Breakdown: The Preemptive Posture
  1. Legal Awareness:
    1. Legal: Defense attorneys have and continue to proactively educate their clients about their legal obligations concerning evidence preservation.
    2. Digital Forensics: By engaging digital forensic to assist, defense attorneys can ensure that their clients fully comprehend these obligations, including the technical nuances, from the outset.
  2. Preservation Advisories:
    1. Legal: Defense attorneys may send preservation advisories to the opposing party upon anticipating litigation, emphasizing the duty to preserve evidence.
    2. Digital Forensics: Digital forensic experts can help draft these advisories, ensuring they are comprehensive and technically accurate, thereby enhancing their effectiveness.
  3. Preservation Protocols:
    1. Legal: Defense attorneys establish precise preservation protocols for their clients to follow.
    2. Digital Forensics: Working with experts from the beginning ensures that these protocols are technically sound and align with industry best practices.
  4. Documentation of Compliance:
    1. Legal: Attorneys encourage clients to maintain meticulous records of preservation efforts.
    2. Digital Forensics: Digital forensic experts can advise on what specific details should be documented, ensuring that records are thorough and suitable for legal purposes.
In an era dominated by technology and interconnectivity, digital evidence has become paramount in legal proceedings. Digital evidence is at the forefront of commercial litigation in our technology-driven world. Spoliation claims are increasingly common, but businesses can protect themselves by adopting best practices and leveraging the expertise of digital forensic experts. Collaboration and communication between legal teams and experts are key to effectively addressing spoliation risks, whether through a proactive or preemptive approach. By following clear procedures and understanding the nuances of preserving digital evidence, organizations can ensure that their digital evidence remains intact and admissible in court.

Uncovering Fraud and Employee Wrongdoing

In an era dominated by digital technology, organizations find themselves grappling with a growing challenge: the need to uncover and address instances of employee wrongdoing and fraud. Misconduct within the workplace, such as embezzlement, data theft, harassment, or unethical behavior, can have far-reaching consequences, both financially and reputationally. Fortunately, the very digital landscape that poses these challenges also offers a powerful tool: digital evidence.
Digital evidence encompasses a wide array of data generated, stored, and exchanged in the digital realm. This evidence can range from emails and text messages to computer logs, internet browsing histories, and data trail patterns. When harnessed effectively, digital evidence can provide a crucial window into the actions and intentions of employees, shedding light on potentially fraudulent or illicit activities.
  1. Employee Wrongdoing and Fraud: Data Theft

    While employee wrongdoing can take many forms, and digital forensics can be utilized to answer the who, what, when, where, and why in a myriad of case scenarios, it is most often employed in data theft cases, which will be our focus. 

    In today's hyper-connected and data-driven world, the specter of employee data theft looms large for organizations across the spectrum. It's an insidious threat that often materializes during the turbulent periods of an employee's exit from a company, typically just before or immediately after they resign or are terminated. To effectively combat this challenge, organizations must develop a nuanced understanding of the tactics employed by data thieves and equip themselves with the right strategies to safeguard their valuable information assets.  While I have seen novel means utilized by disgruntled employees to steal data, most cases involve one or more of the following common warning signs
  1. Personal USB or Hard Drive Usage

    When an employee on the brink of departure starts showing a sudden interest in personal USB thumb drives or external hard drives, it's a clear signal that they might be attempting to siphon off critical company data. These portable storage devices can easily conceal stolen information.
  2. Unusual Work Patterns

    Another hallmark of potential data theft is an employee's abrupt shift in work patterns. They may begin showing up at the workplace during odd hours or establishing remote desktop connections well outside their usual schedule. These deviations often signify covert attempts to access or transfer data discreetly.
  3. Excessive Data Transfers

    A sudden and significant increase in data transfers within the organization's network is a glaring sign of potential data theft. These surges in data movement can occur rapidly and indicate that unauthorized transfers are taking place.
  4. Frequent Visits to File Sharing Sites

    Employees who frequently access file-sharing platforms like Dropbox or Google Drive from their company-issued computers and cell phones should raise a red flag. This behavior might signify an effort to upload sensitive company data to personal cloud storage accounts.
  5. Emailing Work Files to Personal Accounts

    One of the more blatant indicators is when an employee begins sending work-related emails with attachments to their personal email accounts. This suggests a clear intention to retain company data for personal use or potentially for malicious purposes.
A General Roadmap for Employee Wrongdoing Cases Involving Data Theft
When suspicions of employee data theft arise, organizations should follow a structured approach for the internal investigation.   Here's a comprehensive roadmap:
  1. Preservation of Electronic Evidence

    The first step is to avoid any deletions or alterations on the suspect's device.  For example, if the device is a computer, in almost all instances, it would be advisable to disconnect the computer from the company’s network to thwart any attempts at remote access. This is also true for cell phones, which would need to be placed into airplane mode with wireless connectivity turned off or by powering off the cell phone entirely to prevent remote wiping of the device. 
  2. Secure Storage

    To further safeguard potential evidence, the employee's login credentials should be disabled or altered to prevent any unauthorized access for all their cloud accounts and their physical devices. Under no circumstances should the organization factory reset or reallocate the device, as this could inadvertently destroy or overwrite critical evidence.
  3. Leverage Digital Forensic Expertise

    The complexity of employee data theft investigations often necessitates the engagement of a qualified digital forensics expert. This expert plays a pivotal role in methodically preserving and subsequently analyzing electronic evidence. Their responsibilities encompass creating a meticulous chain of custody documentation, ensuring the preservation of the digital evidence, creating a forensic copy of that evidence, and examining it in accordance with digital forensic best practices.  Using the example of an examination of a computer belonging to a suspect, you could expect a digital forensic examiner to perform the following analysis, among others:
    1. Comprehensive USB Activity Analysis
      The scrutiny of USB activity logs is a pivotal component of the investigation. It serves to establish a clear timeline of potential data theft, providing valuable insights into when and how USB devices were connected and what data may have been transferred.
    2. In-Depth Files Recently Opened Analysis
      Delving into the digital artifacts on the suspect's computer is essential to determine which files were recently accessed and their source. Any suspicious activity, such as accessing unrelated files during the last week of employment, may serve as a crucial indicator of data copying.
    3. Thorough Cloud Storage Scrutiny
      Investigating cloud storage services is critical to identifying signs of data uploads or access. Log files and concealed folders can yield invaluable insights, even if data has been deleted from shared folders. These services often leave digital breadcrumbs that can be crucial to the investigation.
    4. Examine Email and Internet History
      Scrutinizing the suspect's email accounts for signs of misconduct and analyzing their internet history can provide a deeper understanding of their intentions and actions. This comprehensive examination extends to uncovering evidence of any attempts to communicate or transfer sensitive data through digital channels.
Case Examples

The following case examples illustrate how digital evidence can be leveraged in your cases involving fraud and employee wrongdoing.  Digital forensics can be used to uncover financial irregularities, analyze electronic communications, and establish a clear timeline of events. These capabilities are often essential for building a compelling case in litigation involving fraud and wrongdoing allegations. The case examples provided illustrate how digital forensics has been instrumental in uncovering fraudulent activities and supporting legal actions.
  1. Case Example: The Departing IT Professional

    In a prominent company who develops advanced automation products, a seasoned IT professional tendered their resignation. Concerns quickly arose given the circumstances of his departure, prompting the organization's legal department to initiate a thorough investigation with the assistance of our digital forensics' experts.

    The investigation uncovered that the departing developer had accessed a company server late at night, well after their usual working hours. Subsequent analysis revealed a substantial transfer of proprietary data to a personal USB drive.

    Our experts examined the server and were able to unveil a digital breadcrumb trail of USB activity, conclusively confirming the unauthorized data transfer to a personal USB drive. Further, the IT professional’s work laptop was examined, confirming that the USB drive was used on both devices. 
  2. Case Example: The Banking Executive

    A banking executive came under internal investigation due to questionable activities. He was told to turn over his electronic devices, and subsequently attempted to factory reset his cell phone, while also utilizing anti-forensic tools to erase the data on his company laptop and personal laptop.
    Our examiners were tasked with recovering evidence of the wrongdoing.  The personal laptop had been completely wiped, and the phone as well.  However, by examining the work laptop, which had anti-forensic tools executed against it, resulting in a partial erasure, we were still able to recover an iPhone backup from iTunes.  Inside this backup were the emails demonstrating the fraudulent activity by the executive, resulting in his immediate termination.
  3. Case Example: Breach of Contract by Voicemail

    The plaintiff claimed that the defendant had altered the date and time metadata of a voicemail file to make it appear as if that voicemail was received after signing a contract and not before, which would thereby demonstrate that the defense did not meet certain contractual obligations.

    The timeline of events, reconstructed from digital evidence, played a crucial role in the litigation. Our examiners were able to prove conclusively that the voicemail had not been altered and that the time anomaly was due to the automated functioning of the voicemail service. 
  4. Case Example: Kidnappers, Credit Cards, and an Apple Watch

    A company executive went on an international business trip.  When he returned to the United States, he informed his company that he had been kidnapped, and tied up, and that his company card had been stolen.  After a period of about six hours, he said that the kidnappers returned his company credit card and let him go. 

    Given these unusual circumstances, concerns were raised as to the authenticity of his story.  My team was tasked with examining the executive’s Apple Watch and iPhone to see if his location data and activity corroborated his story. 

    When examining the data from his Apple Watch, we were able to determine that his device recording miles of walking in the time that he was allegedly tied up.  Further, we recovered a forensic artifact from the translation app on the phone, whereby the executive declares his affection and romantic interest to a woman he met.  While he deleted his text messages to her, we recovered the translation file, which contained all the communication in English and the local language.  He was not kidnapped and instead had committed financial fraud against his own company.

From the perspective of a digital forensic expert, the realm of commercial litigation is more reliant every day on digital forensics expertise because of our ever-expanding digital landscape. As a critical component of modern legal proceedings, the careful leveraging of electronic evidence can often be the decisive factor that shapes the outcome of a case.
However, the power of electronic evidence is not without its challenges. The risk of spoliation, the deliberate or accidental destruction of electronic evidence, looms large. Digital forensic experts must, therefore, be vigilant in advocating for the preservation of evidence, ensuring that no data is lost, tampered with, or compromised. The consequences of spoliation can be severe, leading to legal penalties and damaged credibility.  As we move forward in this digital age, the collaboration between legal professionals and digital forensic experts will only grow in significance. 

Lars Daniel is the Practice Leader of the Digital Forensics Division at Envista Forensics.  He guides the growth and development of the practice, keeping Envista’s digital forensic capabilities on the cutting edge through a combination of technological solutions and the growth and development of world-class experts.  Lars is the co-author of the book Digital Forensics for Legal Professionals: Understanding Digital Evidence from the Warrant to the Courtroom, published by Syngess.  He is also co-authored the book Digital Forensics Trial Graphics: Educating the Jury Through Effective Use of Visuals, Published by Academic Press.  Lars has qualified as an expert witness and testified in both state and federal courts in the United States and internationally, qualifying as a digital forensics expert, computer forensics expert, cell phone forensics expert, video forensics expert, and photo forensics expert.  He has testified for both the defense and prosecution in criminal cases and the plaintiff and defense in civil cases.  Lars has trained thousands of attorneys and claims professionals with over 350 classes taught, providing CLE (Continuing Legal Education) and CE (Continuing Education) classes Across the United States.